By Attorney James Drake
Special to THELAW.TV
Most Bring Your Own Device (BYOD) policies are reactive. In itself, this is not necessarily bad, but it often leads to the implementation of a hurriedly drafted policy that leaves employer resources as vulnerable as before because of poor wording and misunderstanding. This guide will provide an approach that is immediately usable and adaptable as new technologies come on line.
Why You Need A BYOD Policy
The implementation of most after-the-fact BYOD policies is usually ineffective, but insidious. They are ineffective because those who already have access must be convinced that there is a link between the new policy intrusions and recognizable benefits. The insidious aspect of a quickly drafted policy is that management becomes complacent, thinking that the mere existence of a policy is the same as compliance. The end result is a failure that will often not become apparent until after a serious breach occurs.
What constitutes a serious breach will vary from organization to organization, but it can generally be characterized as the publication of proprietary information that would otherwise remain confidential. Examples include hacking into customer lists, compromising company financial data, and accessing valuable R&D trade secrets.
Most businesses that allow employees to access work email, share drives, or in-house databases have already implemented BYOD, whether they have a definitive policy in place or not. Indeed, unless you are just starting a business and you know every one of your employees by name, access will quickly spread beyond the capability of the organization to control it.
There are numerous IT solutions that can address these issues, but most of these force management to choose between the convenience of access and the safety of strong security measures. In nearly every situation, convenience will win out – especially if the CEO wants to be able to type out instructions to his reports on his personal tablet right before he goes to bed at night.
In order to be effective, organizations need to implement targeted protections that guard the organization's crown jewels, while managing access by way of ongoing training. In this way, employees will be reminded of their responsibilities while still enjoying the convenience of untethered access.
Before implementing any policy, however, it is important to decide whether access or security has a higher priority and to consider the consequences of elevating one over the other. Higher security often means less autonomous employees. This can be good in a rigidly structured environment such as a manufacturing plant, but may result in a competitive disadvantage in areas such as sales. This why a BYOD policy should gather input from all internal stakeholders so that levels of access and security are commensurate with individual roles, responsibilities, and expectations.
For anything that a company would consider a trade secret, i.e., information that provides significant value by virtue of not being public knowledge, strong information technology protections should be put in place. This can include tiered levels of access (Read, Annotate, Administer) to company databases that contain this information, as well as the conscious decision to maintain some information on storage media that are not connected to the internet. This not only creates barriers to malicious third parties, it also reminds authorized users to be careful in accessing this information.
It has become axiomatic that the biggest source of leaks in cases of corporate espionage is an employee who unwittingly provides her access codes to a person she believes has similar authorization. These "social engineering" hacks are much easier and less time-consuming than the popular Hollywood trope of the lone hacker employing sophisticated software to break in and steal what he wants.
Accordingly, in addition to limiting the number of people who can access highly sensitive information, as well as what they can access, a world-class BYOD policy must include a training component. Training can be incorporated as part of document management training and should focus on the following:
Managing expectations is another crucial aspect of training. It can be easy to forget that these are personal devices paid for (in most cases) and maintained by the employees themselves. If employees who are used to unfettered access are suddenly confronted with overly restrictive policies that they perceive as making them less efficient, they may choose to ignore them or actively undermine them. Suddenly, the BYOD policy itself has become the catalyst for security breaches!
Communicating the Policy
In addition to the topics listed above, the ultimate goal of training should be to insure that everyone in your organization understands the link between any new behaviors and the attendant benefits. Because the connection between new behaviors and the benefit of improved security is abstract, changes to behaviors should be simple and unobtrusive to assure compliance. There should be 2-3 main takeaways from training and they should be easily incorporated into the established workflow of the organization. These changes should be memorialized as a documented policy and cross-referenced to a code of conduct, electronic communications policy, and any other related policies.
BYOD policies will differ based on a variety of variables, and these variables should be addressed within the context of the policy itself. In particular, a robust BYOD policy should include headings that address the following:
The author, parent attorney James Drakes, blogs at intangibleexpertise.com.